Tuesday, August 18, 2009

[Scrap] Setting up WireShark on Max OS X

I've been playing around with network traces and recently installed Wireshark (formerly Ethereal) which is a packet-capture tool that captures all the traffic across a network. (More from Wikipedia here.)

I had a bit of difficulty getting it up and running. Here is what I did:

2. Move Wireshark.app to /Applications/ and copy all the executables in the Utilities/ directory in the DMG to a place in your PATH, like /usr/local/bin/. (If you're running as a non-admin user, you'll have to authenticate as an admin to do this.)

3. Now, anything in /dev/bpf* needs to be both readable and writable by the admin group in order to run Wireshark. Unfortunately, we have to set these permissions during system start-up. The "Read me first.rtf" file in the Wireshark DMG explains how to copy over a start-up item that will handle this:

The Utilties/ChmodBPF folder [on the DMG], contains the ChmodBPF startup item from the libpcap distribution. This can be used to set the permissions of /dev/bpf* when your system starts up. See Utilties/ChmodBPF/README.macosx for more details.

Copy the entire ChmodBPF folder to /Library/StartupItems. (again, if you're running as a non-admin, you'll have to authenticate as one to copy this over. In fact, Mac OS will probably ask you to "fix" this startup item and reboot after you reboot the first time after this.)

4. At this point, you might think you can reboot and fire up Wireshark. Go for it; see what happens. However...

5. When you first start Wireshark you'll probably get an error that says something like:

The following errors were found while loading the MIBS:
-:0 1 module-not-found failed to locate MIB module `IP-MIB'
...
The key here is that Wireshark is looking for some stuff, and can't find it. After consulting this Wireshark bug thread, the solution seems to be simple:

1) In Wireshark, open the Preferences ("Edit" -> "Preferences").
2) Click on the "Name Resolution" tab.
3) Click on "Edit" next to the entry for "SMI (MIB and PIB) paths".
4) Click "New" and put /usr/share/snmp/mibs/ in there.
5) Click "Ok" until Preferences is closed. Restart Wireshark.
The error above should now be gone.

6. Now, if you're running as an admin user: first, shame on you, punk! Second, you'll probably see a list of network interfaces in Wireshark in the "Interface List". That's good and you're ready to start capturing packets.

However, if you don't see any available interfaces, you're probably running as a non-admin. If you plan on running as a non-admin when you use Wireshark in the future, you need to make one more change. The problem here is that the ChmodBPF start-up item we installed earlier (that changes permissions on /dev/bpf*) only works for users in the admin group. So, we need a way of allowing the user you're running as to at least read stuff in /dev/bpf*.

A simple solution, and you can do this to check and see if you can capture with this change is to simply do sudo chmod o+r /dev/bpf*. That works, but it allows any user on your machine to sniff packets. A better solution is to just add a line to the ChmodBPF script to chown (change the owner of) those things to the user you want to run as:

1) Open the ChmodBPF script, which is located in /Library/StartupItems/ChmodBPF/ChmodBPF, in a text editor.
2) Add a chown line so that the file looks like this: